EIP for disabling SELFDESTRUCT opcode

EIPs
20

Hi, I am one of the participants in the Ethereum Core Developer Apprenticeship program, and have performed some chain analysis on current usages of SELFDESTRUCT here.

In the analysis, I discovered that there is an issue with the current proposal to disable or neuter the SELFDESTRUCT opcode, in that it opens a security risk to uninformed users of the Pine Finance contract. In short, users of this contract send tokens to an predetermined address called a vault. Relayers then trigger a function in the PineCore contract to create a new contract at this predetermined address using CREATE2, which executes a trade and then self destructs. Under the current behaviour, it is possible for a user to use the same vault several times. If SELFDESTRUCT is neutered, however, this would no longer be possible. In fact, if a user then tried to send tokens to a used vault, anyone could steal the tokens in the vault.

The possible options I see are:

  1. Continue with the current proposal of neutering SELFDESTRUCT, but inform Pine Finance so they have time to deploy a new contract that doesn’t suffer from the same risks, in addition to informing their users about the risks of the existing contract. There could perhaps be other contracts that will be exposed to the same risk.

  2. Come up with a proposal that does not create the security risk above. This can be done by either

    a) Implement the full functionality of SELFDESTRUCT, but in a way that does not require changing an arbitrary large part of the state. @vbuterin has suggested a couple of ways to do this, essentially changing which address in the state tree stores the contract state each time the contract is self destructed.

    b) Allowing SELFDESTRUCT if the contract was created in the same transaction. This solves the issue in Pine Finance, and also gives us the invariant that deployed contracts are immutable. This may also be less complex to implement than 2a). The disadvantage is that it may be more complicated to reason about this behaviour where SELFDESTRUCT is sometimes allowed, compared to allowing SELFDESTRUCT in all cases. Also, while this solution solves the Pine Finance case, there may be other cases that break, so further analysis should be done to find out what else might break.

What would be the best way to proceed from here? Should I do more chain analysis to help make a decision?

2 Likes